Force to terminate active session cookie

Hi John,

the most secure method to enforce cookie maximum lifetimes, is to not to depend on cookie expiration and server side cookie deletion at all. Instead you should implement a server side tracking mechanism, to enfore that the cookie can not be used longer then expected. This mechanism can be either implemented by your application itself or by using iRules...

Below is a rather simple iRule syntax that will keep an eye on the

Set-Cookie

responses of your web server and store the values of a the given cookie name into a

[table]

for a specified lifetime. If the client is now sending the cookie to the server, another

[table]

statement is performed to check if the cookie value has an active

[table]

entry. If this is successful, the request would be forwarded to your backend and if not successful, the cookie is silently removed from the request...

when HTTP_REQUEST {
    if { [table lookup -notouch [HTTP::cookie value "MYCookie"]] eq "" } then {
        HTTP::cookie remove "MYCookie"
    }
} 
when HTTP_RESPONSE {
    if { [HTTP::cookie value "MYCookie"] ne "" } then {
        table set [HTTP::cookie value "MYCookie"] "1" indef 10800       ; Note: 10800 sec = 3 hrs
    }
} 

Warning: Enforcing cookie lifetimes using the

[table]

command requires a certain amount of memory to store the individual values (aka. stateful tracking). If memory is a concern for you, then you may switch to a rather complex stateless cookie tracking method, where an additional timestamp is put directly into the cookie value in combination with cookie encryptions to make those value tamper resistent.

Cheers,Kai